IoT security: A failure to plan is planning to fail

Flickering lightbulbs, scary Barbie dolls, infected computer networks and the threat of whole cities out of action. This could be the brave new world of the IoT, if we continue to neglect security, says Ian Kilpatrick, executive vice president for IT distribution company Nuvias Group, in a contributed article for Internet of Business.

For several years, the IT industry has enthusiastically extolled the virtues of the IoT, eager to enlighten us to the difference that living in a connected world will make to all our lives.

Now the IoT is here, in our homes and in the workplace. Its uses range widely, from domestic time-savers like switching on the heating, to surveillance systems, to ‘intelligent’ lightbulbs, to the smart office dream.

New threats, new vulnerabilities

This proliferation of devices and objects, designed to collect and share huge amounts of data, has the potential to create vulnerabilities. Moreover, because these devices are connected to one another, if one device is compromised, a hacker has the potential opportunity to connect to multiple other devices on the network.

Indeed, there have been a number of high-profile cases where everyday items have been used to force websites offline. Last year, hackers exploited the weak security of internet-connected devices, like DVRs and cameras, using botnets implanted on the devices, to take down sites such as Amazon, Netflix, Twitter, Spotify, Airbnb and PayPal in the Mirai botnet attack. Previously, security vulnerabilities in a new, WiFi-enabled Barbie doll were discovered, effectively turning it into a surveillance device by joining the connected home network.

Elsewhere, researchers said they had developed a self-propagating worm that could potentially travel through ‘smart’ connected lightbulbs city-wide, causing the web-connected bulbs to flick on and off.

These are just a few examples of the security failures in IoT-enabled devices. Unfortunately, they are not exceptions. Manufacturers are rushing to make their devices internet-connected but, in many cases, with little thought (or indeed knowledge) around security.

The next step on IoT’s journey is connected or smart cities, where the consequences of an attack are enormous. It’s not just one lightbulb – a hacker can potentially plunge an entire city into darkness, or disable surveillance systems, causing chaos.

Corporate responses

With IoT devices now moving into the workplace, organisations are increasingly vulnerable to attack. A survey by analyst group 451 Research predicts that enterprises will increase their IoT investment 33 percent over the next 12 months, but that security remains a concern with half of respondents citing it as the top impediment to IoT deployments.

Nevertheless, it says that organisations are forging ahead with IoT initiatives and opening their wallets to support IoT deployments.

There’s no turning back the tide of any of these IoT applications. In fact, we shouldn’t try to halt progress. However, checking the security capabilities before deployment isn’t a bad strategy. Especially as it is important to ensure that the advance of IoT isn’t providing hackers and criminals with another entry point for attack.

The IoT challenge is backfilling security onto IoT devices. Because these devices are not running on standard operating systems, they are often invisible to a large part of an organisation’s defences. And if a device is compromised, and you end up with malware within your organisation, you must firstly spot the breach, and then find out where it’s coming from – not an easy task.

Cleaning the device won’t necessarily fix the problem, as you will have a compromised IoT device within your security perimeter, which will just continue to re-infect other devices.

There are many different types of solutions available. Kaspersky Labs, for example, has Kaspersky OS, a secure environment for the IoT. Other suppliers, including Tenable Networks and Check Point, also provide solutions that are relevant here.

A key action for organisations is to pay close attention to the network settings for IoT devices and, where possible, separate them from access to the internet and to other devices.

Also IoT devices should be identified and managed alongside regular IT asset inventories; and basic security measures like changing default credentials and rotating strong Wi-Fi network passwords should be used.

As much as IoT manufacturers need to embed adequate levels of security into their devices, the ultimate responsibility for ensuring an organisation is secure is with the user. This is particularly true as Chief Information Security Officers (CISOs) are under more pressure than ever to maintain the integrity of their organisations, in the face of increasing legislation such as the General Data Protection Regulation (GDPR), which carries potentially crippling fines for data breaches.

Don’t fail to plan

Ultimately, IoT is here, and it isn’t secure. It won’t be secure until IoT device manufacturers make it secure, which will be many years in the future. In the meantime, it’s down to organisations to make sure they are protected. User education should be a key element in defence around IoT deployment, partly because of the increased risks of ‘shadow deployment’ in the workplace with IoT devices.

Business leaders need to ask their IT department or CISO for a strategic plan to deal with IoT vulnerabilities, rather than burying their head in the sand. As the saying goes, a failure to plan is planning to fail.